Microsoft Intune: Complete Setup, Configuration, and Best Practices Guide 2026
Why Microsoft Intune Setup Feels So Broken (And Why It Isn't)
Picture this: your organization just committed to Microsoft Intune for endpoint management. You've got the licenses, you've got the admin center open, and you're ready to enroll your first batch of devices. Then , nothing works the way you expected. Devices fail to enroll. Policies deploy but don't apply. Apps show as "pending install" for days. The error message staring back at you is a cryptic hex code like 0x80180014 or 0x8018002b, and Microsoft's own documentation feels like it was written for someone who already knows the answer.
I've seen this exact situation on dozens of deployments , from 20-device small businesses to 15,000-seat enterprise rollouts. The frustration is real, and I won't pretend otherwise. The good news is that almost every Microsoft Intune configuration problem has a specific, fixable root cause.
So what actually goes wrong? A few things show up again and again:
MDM authority conflicts. If your tenant previously used a hybrid Configuration Manager setup, or if someone accidentally set the wrong MDM authority, new enrollments will fail with error 0x80180026, "enrollment blocked by policy." The admin center looks fine, but under the hood the authority is misconfigured.
License assignment gaps. Microsoft Intune requires a valid Intune license assigned to each user before their device can enroll. Sounds obvious, but in practice, IT teams assign licenses in bulk through group-based licensing and then wonder why the new hire's laptop won't enroll. Spoiler: the group membership sync hadn't completed yet.
Azure AD join vs. Hybrid Azure AD join confusion. These are two completely different enrollment paths with different requirements. Mixing them up is one of the top causes of Intune enrollment issues for Windows devices in domain-joined environments.
Conditional Access blocking enrollment. Your security team set up a Conditional Access policy requiring compliant devices, but the device can't become compliant until it's enrolled. Classic chicken-and-egg problem. I've seen this block entire device fleets.
Certificate and network issues. Intune relies on specific Microsoft endpoints being reachable. If your firewall is blocking *.manage.microsoft.com or the Device Health Attestation service at has.spserv.microsoft.com, enrollment will silently fail or time out.
The error messages Intune surfaces in the admin center are often vague, they tell you something failed, not why. That's the core of the frustration. This guide gives you the "why" and the fix for every major scenario. Browse all Microsoft fix guides →
Microsoft Intune is a cloud-based endpoint management solution that handles user access to organizational resources, device configuration, app deployment, and security policy enforcement across Android, iOS/iPadOS, macOS, Linux Ubuntu Desktop, and Windows devices. When it works, it's genuinely excellent. When it doesn't, you need to know exactly where to look.
The Quick Fix, Try This First
Before you spend two hours digging through Event Viewer logs, run through this checklist. In my experience, 60% of Microsoft Intune enrollment and policy deployment failures trace back to one of these four things:
1. Confirm the user has an active Intune license. Go to the Microsoft Intune admin center at intune.microsoft.com, navigate to Users > All Users, find the affected user, then click Licenses. You need to see either a Microsoft Intune Plan 1 license, a Microsoft 365 Business Premium license, an EMS E3/E5 license, or a Microsoft 365 E3/E5 license assigned and in "Active" state, not "Pending" or "Error."
2. Verify the MDM authority is set to Intune. In the Intune admin center, go to Tenant administration > Tenant status. Under the Tenant details tab, find the "MDM authority" field. It must read "Microsoft Intune." If it says "Configuration Manager" or "Unknown," that is your problem right there.
3. Check enrollment restrictions. Go to Devices > Enrollment > Enrollment restrictions. Confirm that the default enrollment restriction allows the device platform (Windows, iOS, Android) and that the device limit is not set to 0. I've seen admins accidentally set the device limit restriction to 1 while testing, then forget to change it back before rollout.
4. Test basic network connectivity from the device. Open a browser on the device and navigate to https://portal.manage.microsoft.com. If that URL is unreachable or returns an SSL error, you have a network/firewall problem that will prevent any enrollment from succeeding, regardless of how the admin center is configured.
If all four check out and you're still hitting issues, the rest of this guide walks through every scenario in detail.
mdmdiagnosticstool.exe -area DeviceEnrollment -zip C:\Temp\MDMLogs.zip. This generates a ZIP file with enrollment logs, applied policies, and certificate status, all in one place. It saves hours compared to manually hunting through Event Viewer.
Everything in Microsoft Intune starts with a properly licensed tenant. If you're starting fresh, sign in to the Microsoft Intune admin center at intune.microsoft.com using your Global Administrator or Intune Administrator account. The very first thing the admin center shows new tenants is a setup wizard, don't skip it, even if you're an experienced admin. It walks you through MDM authority configuration, which, if done wrong at this stage, causes cascade failures down the line.
For license assignment, the cleanest method is group-based licensing through Microsoft Entra ID (formerly Azure Active Directory). Go to Microsoft Entra admin center > Groups > All Groups, select or create your Intune Users group, then click Licenses > Assignments and assign the appropriate plan. The critical thing to understand: there is a replication delay of up to 24 hours for license changes to propagate to all services. If you assign a license and immediately try to enroll a device, it may fail with error 0x80070774 simply because the license hasn't fully activated yet.
For a quick sanity check on any individual user, use this PowerShell command after connecting with the Microsoft Graph PowerShell module:
Connect-MgGraph -Scopes "User.Read.All","Directory.Read.All"
Get-MgUserLicenseDetail -UserId "user@yourdomain.com" |
Select-Object -ExpandProperty ServicePlans |
Where-Object { $_.ServicePlanName -like "*INTUNE*" }You're looking for INTUNE_A or INTUNE_O365 in the output with a ProvisioningStatus of "Success." Anything else, "PendingInput," "Disabled," or no output at all, means the license isn't active for that user. Fix the license assignment first. Nothing else matters until this is right.
If it worked: the user appears in Intune admin center > Users > All Users with no license error banners, and the MDM authority shows "Microsoft Intune" in Tenant Status.
The MDM authority setting tells your tenant which management solution is in charge of mobile device management. For a pure cloud-managed Intune deployment, this must be set to "Microsoft Intune." If you're running a co-management scenario with Configuration Manager, you'll set it differently, but for most organizations moving to cloud-native endpoint management, Intune-only is the right call.
To configure enrollment settings, go to Devices > Enrollment in the Intune admin center. You'll see platform-specific sections: Windows enrollment, Apple enrollment, Android enrollment. For Windows, the most important setting is under Windows enrollment > Automatic Enrollment. Set the MDM user scope to "All" (or a specific group for a phased rollout). If MDM user scope is set to "None," no Windows device in your tenant can enroll via Azure AD join, full stop. This is the single most common misconfiguration I see in new deployments.
For iOS/iPadOS and macOS devices, you'll need an Apple MDM Push Certificate. This is non-negotiable. Go to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple MDM Push certificate and follow the certificate request process. You'll download a CSR, upload it to Apple's Push Certificate Portal at identity.apple.com/pushcert, download the resulting .pem file, and upload it back to Intune. This certificate expires annually, calendar that renewal, because if it expires, all your iOS/iPadOS devices lose management, and re-enrollment is required.
For Android, decide upfront between Android Enterprise (recommended for corporate devices) and Device Administrator mode (legacy, being phased out). Android Enterprise enrollment uses a managed Google Play account linked to your tenant, go to Devices > Android > Android enrollment > Managed Google Play to connect your account.
If it worked: each platform section in Devices > Enrollment shows a green status indicator, and test enrollments succeed without error 0x80180026.
Microsoft Intune supports multiple enrollment methods, and choosing the wrong one for your scenario is a major source of configuration errors. Here's the breakdown by device type and ownership model:
Windows, Corporate devices: Windows Autopilot is the gold standard. Devices are pre-registered with your tenant using their hardware hash, so when an employee powers on a new device and signs in with their corporate credentials, Azure AD join and Intune enrollment happen automatically, no IT imaging required. To register devices, import the hardware hash CSV into Devices > Enrollment > Windows enrollment > Devices. To get the hardware hash from an existing device:
Install-Script -Name Get-WindowsAutoPilotInfo -Force
Get-WindowsAutoPilotInfo -OutputFile C:\Temp\AutoPilotHWID.csvWindows, Personal/BYOD devices: Users enroll via Settings > Accounts > Access work or school > Connect. This triggers an MDM enrollment flow. The user's device gets Intune policies but remains personally owned, the line between corporate and personal data management is controlled by your app protection policies, not device-level MDM.
iOS/iPadOS, Corporate devices: Use Automated Device Enrollment (ADE, formerly DEP) through Apple Business Manager or Apple School Manager. Link your Apple Business Manager account to Intune under Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens. ADE-enrolled devices are supervised, giving you significantly more management control than non-supervised enrollment.
Android Enterprise, Corporate devices: Use the Fully Managed enrollment method. Generate a token in Devices > Android > Android enrollment > Corporate-owned, fully managed user devices, then use the token or QR code during device setup. For work profile on BYOD Android, users download the Intune Company Portal app from Google Play and follow the in-app enrollment flow.
If it worked: newly enrolled devices appear in Devices > All Devices within minutes of enrollment, showing "Managed by Intune" and a sync status of "Succeeded."
Getting devices enrolled is only half the job. Microsoft Intune's real value is in pushing configuration profiles and compliance policies that enforce your security baseline across every managed device. This is also where many admins run into frustrating problems, policies show as "assigned" but never apply, or devices show as "not compliant" even when they should be.
To create a configuration profile, go to Devices > Configuration > Create > New Policy. Select your platform, then choose a profile type. For Windows, the most commonly used types are:
- Settings catalog, the modern way, giving you granular access to thousands of individual settings
- Templates > Endpoint protection, for BitLocker, Windows Defender Firewall, Microsoft Defender Antivirus
- Templates > Device restrictions, controlling camera, Bluetooth, USB, and factory reset options
When a profile doesn't apply, the first thing to check is assignment. Go to the profile, click Properties > Assignments, and verify the device or user group is listed under "Included groups." Then go to the device itself in Devices > All Devices, click on it, and check Device configuration, each profile shows an "Apply" status. If a profile shows "Error" or "Conflict," click through to see the specific setting causing the conflict.
For compliance policies, go to Devices > Compliance > Policies > Create Policy. Set the platform and define your requirements, minimum OS version, BitLocker required, antivirus required, device encryption required, and so on. Assign the policy to your device groups.
One thing that trips people up: compliance evaluation requires the device to check in with Intune. By default, devices sync every 8 hours, but you can force an immediate sync from Devices > All Devices, select the device, then click Sync. After the sync completes (usually within 5 minutes), check the compliance status again.
If it worked: devices in Devices > All Devices show "Compliant" status, and your configuration profiles show "Succeeded" in the device's configuration detail view.
App management is one of Microsoft Intune's strongest features. You can deploy apps to devices, manage updates, and protect corporate data inside apps, even on devices that aren't enrolled in Intune at all, using App Protection Policies (APP).
To add an app, go to Apps > All Apps > Add. Intune supports several app types:
- Microsoft 365 Apps for Windows 10 and later, deploy the full Office suite including Teams with one click
- Win32 app, package any EXE or MSI into a
.intunewinfile using the Microsoft Win32 Content Prep Tool and deploy it silently - Line-of-business (LOB) app, upload MSI, APPX, or IPA files directly
- Web app / Store app, link to web apps or apps from the Microsoft Store for Business
For Win32 apps, prepare your package with this command:
IntuneWinAppUtil.exe -c "C:\SourceFolder" -s "Setup.exe" -o "C:\OutputFolder"This generates the .intunewin file you upload to Intune. Specify your install command (e.g., Setup.exe /S /quiet), uninstall command, and detection rules so Intune knows whether the app is already installed on a device before trying to deploy it again.
App Protection Policies are the killer feature for BYOD scenarios. Under Apps > App protection policies > Create Policy, select your platform and configure settings like: require PIN to access work apps, block copy/paste between work and personal apps, require encryption of app data, and remotely wipe only corporate app data without touching personal content. Microsoft Outlook, Teams, Word, Excel, PowerPoint, and OneDrive all support these policies natively.
If app deployments are stuck in "Pending install," check that the device has checked in recently (force a sync), verify the user is in the assigned group, and confirm the detection rule is correct. A wrong detection rule causes Intune to think the app isn't installed even after a successful installation, resulting in repeated, failed install loops logged in Event Viewer under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider, Event ID 1905.
If it worked: apps appear in Apps > All Apps with an "Installed" install status for target devices, and the Company Portal app on enrolled devices shows apps as available and installed.
Advanced Troubleshooting for Microsoft Intune
When the basic steps haven't resolved your Microsoft Intune problems, it's time to go deeper. Here are the advanced scenarios I hit most often in enterprise environments.
Event Viewer: Your First Stop for Enrollment Failures
On Windows devices, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin. This log is the most detailed source of Intune enrollment and policy application errors on Windows. Key event IDs to know:
- Event ID 72, MDM enrollment failure (check description for specific error code)
- Event ID 1905, App install failure with error detail
- Event ID 404, Policy application error, usually means a setting conflict
Group Policy Conflicts with Intune MDM Policies
In hybrid environments where devices are both domain-joined and Intune-enrolled, Group Policy Objects (GPOs) and Intune configuration profiles can conflict. Intune MDM policies take precedence over Group Policy for the same settings, but only when the MDM policy is actually applied. To force MDM policy precedence for a specific setting on Windows, set this registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Value: DisableRegistration = 0 (DWORD)
For a full inventory of conflicts, run gpresult /h C:\Temp\GPReport.html on the device and cross-reference with the Intune policy list. Settings that appear in both the GPO report and your Intune configuration profile are your conflict candidates.
Conditional Access and Enrollment Deadlock
If your Conditional Access policies require compliant devices and you're trying to enroll new devices, you can create an enrollment deadlock. The fix is to exclude the Intune enrollment endpoints from the "require compliant device" policy. In Microsoft Entra admin center, go to your Conditional Access policy, click Cloud apps or actions, and add Microsoft Intune Enrollment as an excluded app. This allows unenrolled devices to complete enrollment, after which the full Conditional Access requirements kick in.
Certificate Issues: 0x80070774 and 0xcaa2000c
Error 0x80070774 during enrollment typically means a certificate enrollment failure, usually the SCEP or PKCS certificate profile failed to deploy. Check that your NDES server (if using SCEP) is reachable from the device and that the certificate connector in Tenant administration > Connectors and tokens > Certificate connectors shows "Active." Error 0xcaa2000c is a token/authentication error, the device can't get an Azure AD token. This almost always means the device's system clock is more than 5 minutes out of sync with Microsoft's servers. Force an NTP sync with w32tm /resync /force and try enrollment again.
Network Endpoint Requirements
Intune requires specific endpoints to be reachable. If you're behind a strict firewall or proxy, ensure these are allowed outbound on port 443:
*.manage.microsoft.com
manage.microsoft.com
*.microsoftonline.com
*.microsoftonline-p.com
login.microsoftonline.com
portal.manage.microsoft.com
has.spserv.microsoft.com (Device Health Attestation)
*.cdn.office.net (for app deployments)
Intune Connector for Active Directory
If you're using Hybrid Azure AD joined devices with Windows Autopilot, you need the Intune Connector for Active Directory installed on a domain-joined Windows Server. Go to Devices > Enrollment > Windows enrollment > Intune Connector for Active Directory and download the installer. The connector must have outbound connectivity to manage.microsoft.com and inbound connectivity from the DCs. A failed connector shows "Unhealthy" in the admin center and logs errors in Event Viewer > ODJConnectorAdminDiagnostics.
If you've worked through all of the above and devices still can't enroll or policies won't apply, it may be a tenant-side provisioning issue that only Microsoft can see. Signs it's time to escalate: all devices across all platforms fail (not just one platform), the Intune admin center itself shows service degradation in the Microsoft 365 Service Health dashboard, or error codes in the enrollment logs reference server-side failures like 0x80180014 with no client-side explanation. Open a support ticket at Microsoft Support and include your MDM Diagnostics Tool output and the relevant Event Viewer export, it dramatically speeds up their investigation.
Prevention & Best Practices for Microsoft Intune
Once you've got Microsoft Intune running cleanly, keeping it that way takes a bit of discipline. Here's what separates the Intune deployments that stay healthy from the ones that turn into a maintenance nightmare six months in.
Use security baselines, not ad-hoc configuration profiles. Intune ships with pre-configured security baselines based on Microsoft's security recommendations, go to Endpoint security > Security baselines. These cover Windows, Microsoft Defender for Endpoint, Microsoft 365 Apps for Enterprise, and Edge. Starting from a baseline and adjusting is far safer than building policies from scratch. Fewer gaps, fewer conflicts, and when Microsoft updates the baseline, you get notified.
Scope tags are your friend in large deployments. If you have multiple IT teams managing different device groups, scope tags in Tenant administration > Roles > Scope tags let you delegate admin access without giving everyone Global Administrator rights. An admin scoped to "EMEA Devices" can't accidentally mess up the "North America" policies. This is how you scale Intune management without creating chaos.
Monitor the Intune admin center's built-in reports, but also set up alerts. Go to Reports > Device compliance > Reports and schedule a weekly non-compliant devices report. More importantly, go to Tenant administration > Tenant status and bookmark it, this page shows you service connector health, agent health, and enrollment failures at a glance. Pair this with Microsoft 365 Service Health alerts so you know immediately if there's a platform-side outage.
Test policy changes in a pilot group first, every time. Create an "Intune Pilot" device group with 5-10 representative devices across all platforms. Any new or modified configuration profile, compliance policy, or app deployment goes to this group first. Soak for 48 hours, verify no unexpected side effects, then deploy to the broader fleet. I know this sounds basic, but I've seen a single misconfigured Windows Update ring push a bad update to 3,000 devices because someone skipped the pilot ring.
- Renew your Apple MDM Push Certificate 30 days before expiry, set a calendar reminder the day you create it
- Enable the Intune Company Portal app on all platforms so users can self-service password resets and app installs, reducing helpdesk calls
- Configure Windows Autopatch for automatic Windows Update ring management instead of building update rings manually, it's available as part of Microsoft 365 Business Premium and above
- Run the Intune Configuration Analyzer in Devices > Configuration > Analyze your policies quarterly to catch setting conflicts and deprecated configurations before they cause problems
Frequently Asked Questions
What is Microsoft Intune and what does it actually do for my organization?
Microsoft Intune is a cloud-based endpoint management platform that lets you manage and secure devices, apps, and user access to organizational resources, all from a single web-based admin center. It supports Android, iOS/iPadOS, macOS, Linux Ubuntu Desktop, and Windows devices, whether they're company-owned or personal (BYOD). In practice, it means your IT team can push Wi-Fi settings to every employee's laptop, enforce BitLocker encryption, wipe a lost device remotely, deploy Microsoft 365 Apps silently, and block non-compliant devices from accessing company email, all without touching the devices physically. It's the central nervous system for modern endpoint management, and it replaces on-premises tools like traditional MDM servers and manual software deployment.
Why does my device keep showing as "Not Compliant" in Intune even though everything looks fine?
Nine times out of ten, this is a sync timing issue. Intune evaluates compliance after the device checks in, which happens automatically every 8 hours. If you just made the device compliant (e.g., enabled BitLocker, updated the OS), Intune doesn't know about it yet. Force an immediate sync: on the device, go to Settings > Accounts > Access work or school, click your work account, then click Info > Sync. Alternatively, in the Intune admin center go to the device record and click Sync. Wait 5 minutes and check again. If it's still non-compliant after a sync, click through the compliance status in the admin center, it shows you exactly which compliance setting the device is failing, which tells you precisely what to fix.
What licenses do I need for Microsoft Intune, is it included in Microsoft 365?
Yes, Intune is included in several Microsoft 365 plans. Microsoft 365 Business Premium includes Intune. Microsoft 365 E3 and E5 include it. Enterprise Mobility + Security (EMS) E3 and E5 include it. You can also buy standalone Microsoft Intune Plan 1 licenses. There's also a Microsoft Intune Suite that adds premium features like Remote Help, Endpoint Privilege Management, and Microsoft Tunnel for MAM, those are add-on licenses on top of a base Intune plan. Each user who will enroll a device or receive app protection policies needs a license assigned. If you're unsure which plan fits your organization, the Microsoft Intune licensing page on Microsoft's official site breaks down the feature differences by plan.
Can I manage devices that aren't enrolled in Intune, like personal phones used for work email?
Yes, and this is one of the most useful features in the whole platform. Microsoft Intune App Protection Policies (APP) let you protect corporate data inside apps like Outlook, Teams, Word, and OneDrive without requiring the device to be enrolled in MDM. The user installs the Intune Company Portal app and signs in with their work account, but their personal device stays under their control, you're managing the apps, not the device. You can require a PIN to open Outlook, prevent copying from Outlook to the personal Notes app, block saving attachments to personal cloud storage, and remotely wipe only the corporate app data if the employee leaves, leaving their personal photos and apps completely untouched. Set this up under Apps > App protection policies in the Intune admin center.
What's the difference between Azure AD Join, Hybrid Azure AD Join, and Workplace Join for Intune?
These are three different device identity states that affect how Intune enrollment works. Azure AD Join is for cloud-native devices that sign in with a Microsoft Entra ID (Azure AD) account, no on-premises Active Directory involved. This is the recommended path for new devices. Hybrid Azure AD Join is for devices that are joined to both on-premises Active Directory and Azure AD simultaneously, common in organizations still running on-prem infrastructure. These devices need the Intune Connector for Active Directory and line-of-sight to a domain controller during enrollment. Workplace Join (Register) is the lightest-touch option, used for BYOD devices where the user just registers their personal device to get conditional access to company resources without full MDM enrollment. Pick the wrong join type for your environment and enrollment will fail or policies won't apply correctly.
How do I remotely wipe a lost or stolen device managed by Microsoft Intune?
In the Intune admin center, go to Devices > All Devices and find the device by searching the device name or user's name. Click on the device to open its detail page, then in the top action bar you'll see remote action options. Wipe performs a full factory reset, the device is returned to out-of-box state and all data is removed. Retire is the gentler option, it removes corporate data, apps, and policies while leaving personal data intact (useful for BYOD). Delete removes the device from Intune's records but does NOT wipe the device itself. For immediate data protection on a lost device, use Wipe for corporate-owned devices or Retire for personal ones. The action is queued and executes the next time the device connects to the internet, or immediately if it's currently online.